Pages

Pages

You are here: Home > Documentation > tutorial > How to build submission forms using Xataface > Step 3: Adding Permissions
Previous: Step 2: Decorating the form Up to Contents Next: Step 4: Adding instructions

How to build submission forms using Xataface

Jump:

A submission form (a form for users to submit information into a database) is a very common use-case for Xataface. This tutorial teaches you how to do it the right way.

Step 3: Adding Permissions

In order to allow the public to use your submission form (insert new records) but not edit, browse, and delete existing records you need to define some permissions.

This tutorial assumes that you already understand the basic concepts of Xataface permissions.  For an introduction to Xataface permissions, see the Getting Started Tutorial.

As with any Xataface application that needs permissions, assume we have added our users table already.  We need to define permissions such that public users (i.e. users that haven't logged in) are able to submit the form (i.e. create new records) but nothing else.  We define our getPermissions() method on the registrants table as follows:

function getPermissions(&$record){
    $app =& Dataface_Application::getInstance();
    $query =& $app->getQuery();
		
    if ( $query['-action'] == 'new'){
        return Dataface_PermissionsTool::ALL();
    } else {
        $auth =& Dataface_AuthenticationTool::getInstance();
        $user =& $auth->getLoggedInUser();
        if ( $user and isAdmin($user->val('role'))){
            return Dataface_PermissionsTool::ALL();
        } else {
            return Dataface_PermissionsTool::NO_ACCESS();
        }
    }
}

A few notes on what is happening here:

  1. We use $app->getQuery() to obtain an associative array of the query parameters.  This is very similar to the $_GET or $_REQUEST superglobal arrays, except that default values have been filled in to the array returned by getQuery().  For example, if the user doesn't specify a table with the '-table' parameter, then a default table is set, and this will be included in the array returned by getQuery().
  2. First we check if the '-action' is 'new'.  (This would mean that we're adding a new record).  In this case will allow all permissions.
  3. In all other cases we will grant permissions on a per-user basis.  We get a reference to the logged in user object (this is a Dataface_Record object for the users table, and check if this user is an administrator. (Note that the isAdmin() function is defined elsewhere in my app... It just checks the user role and sees if it should have administrator privileges).
  4. We grant administrators all access - other users get no access.

Previous: Step 2: Decorating the form Up to Contents Next: Step 4: Adding instructions
blog comments powered by Disqus
Powered by Xataface
(c) 2005-2024 All rights reserved
menu